Security Risk Management: Crazy, Weird and Insane Facts.

Academics, scholars and experienced practitioners agree that security risk management is an emerging profession.

Lacking universal definitions, consistency in education and a shared, professional body of knowledge, security risk management is less evolved than say engineering, medicine or economics. 

Security risk management is and will remain, a multi-disciplined, solutions and science orientated pursuit. 

Make no mistake though, there is already significant science, research, data, peer-reviewed and academic knowledge available and applied within the industry and the profession in both the public and private security domains. 

This is all converging to create what has been termed Enterprise Security Risk Management or ESRM.

A holistic, enterprise-wide approach to security and risk management, rather than piecemeal, fragmented or silo orientated concepts of the past. 

So let’s look at some of the crazy, weird and even insane facts done in the name of security and risk management. 

Career military personnel are being hired and placed in roles responsible for crime prevention and commercial risk management, even though they have never spent a day in their lives fulfilling such a role, nor do they have specific technical education and experience in this area. 

Career police personnel are being hired and placed in regional or global roles even though they have never worked or been commercially engaged outside of the cities, towns or suburbs in which they have policed or been stationed. 

Government security, intelligence and federal agents are being hired and placed in commercial security roles responsible for multinational locations, budget forecasting and even subordinate development when they have never spent a day in their lives fulfilling these functions. 

Corporate and commercial security managers and directors are overseeing security risk management functions within their respective organisations, even though just a few short years ago they were accountants, general managers, lawyers, and administrators. 

Senior security and risk management roles are being filled by individuals with formal qualification and degrees not specific to the roles and responsibilities of the job, such as criminology, military, strategic studies and policing. 

Cyber security and information technology professionals, flavour of the month at present, are overseeing physical security, enterprise risk, manpower and countless other functions well outside their qualifications and experience covers. 

Companies are hiring for specific roles and dictating security and risk management qualifications and experiences formed by these non-aligned advisors or even worse, some random, perceived view of what security and risk management requires. 

Middle and senior security risk management individuals sit with titles and responsibilities, even though they don’t have a single technical and specific security qualification or education, merely a past life in the government, police, or the services. 

Random training providers and courses are popping up routinely offering “security training” without any background, credentials, experience, academic or professional knowledge in the area of security or risk management.

Commissioning few random ‘experts’ for a workshop, training session or “certified’ course don’t qualify either. 

The US and UK are still at war, each side claiming dominant standards, associations, credentials or security and risk management practices, often leading to preferential hiring and selection processes too. 

This war of standards and concepts is then rained down upon the non-superpower countries, communities and locations, dismissing any local nuances, expertise or experience that may be present or developing. 

No doubt this will offend or upset some within the industry but it is most likely those that tick one or more of the aforementioned boxes.

Academics, businesses, peers, courts and professionals are now starting to pay closer attention to these issues, and they don’t like what they see. 

An emerging body of research and critique is focusing on the inappropriate or poor levels of specific and technical security risk management education of those charged with the role.

Organisations are starting to ask pointed questions and investigate specific claims of “expertise”, specific to their requirements, not some past life in the military, police or government. 

Courts and legal professionals are clear, experienced and ruthless in defining “experts” and qualified opinions.

Qualified and experienced professionals simply don’t associate, communicate, value or rely on amateur, unqualified input offered by these individuals, they know the significant risk the pose and they have been around long enough to quickly identify who is competent, qualified and contributes, no matter how nice, articulate or senior they may be. 

Buyer beware. 

As much as I would like for these facts to be untrue or sensationalised, sadly they are true. 

Nobody is perfect, nobody knows everything but the time has come for security risk management to collectively progress the profession and make these distinctions and clarifications between enthusiast, specialists, professionals and simply those who managed to get past poor hiring and technical qualification processes.

For those that would like a more technical, academic perspective on this, I would recommend you start with the Dunning-Kruger Effect, and progress from there. 

Tony Ridley

Enterprise Security Risk Management & Security Science